HCSC 2024 - Forensic 4.
Description
The attacker manipulated the Registry to handle some UAC restrictions. What is the full path of the modified registry value and which is the privileged user account taken over by the attacker and used to take this action?
(example: hcsc{HKXX\full\registry\path\To\The\Value_privuser}
)
Metadata
- Tags:
event log
,4688
,reg.exe
,LocalAccountTokenFilterPolicy
- Points:
300
- Number of solvers:
18
- Filename: -
Solution
By analyzing the Event Log, we can find interesting process creation events (with Event Id 4688
) around the day 2024-03-20
(we know the interesting day from the previous challenges). By analyzing the events, we can see that reg.exe
was executed several times by user jachan
to manipulate the Registry
. In the Process Command Line
line you can see the key and value that was set by reg.exe
(LocalAccountTokenPolicy
).
The task can also be solved by searching for Registry
based UAC bypass solutions in Google and looking for the results in the Event Log.
Flag: hcsc{HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy_jachan}